Table of Contents
The RBI CKYC reliance guidance introduced in December 2025 reshapes how financial institutions manage KYC accountability and compliance in India. This framework clarifies liability under the Central KYC Registry (CKYCR), particularly identifying the “last updating institution” as responsible for data accuracy.
This article explores the Reserve Bank of India’s (RBI) new guidance on CKYC reliance and its impact on financial institutions. This article is intended for compliance, risk, and operations professionals in Indian financial institutions who need to understand the operational and liability implications of RBI’s new CKYC reliance guidance. The focus is on clarifying which institution is responsible for KYC record accuracy and how this affects day-to-day compliance and risk management.
The Central KYC Registry (CKYCR) is a centralized database for KYC records of customers in India. The CKYC Identifier is a unique 14-digit number assigned to individuals upon completing KYC formalities. Financial institutions regulated by RBI must register their customers under the CKYC framework.
What is the RBI's new CKYC reliance guidance and how does it affect financial institutions?
The Reserve Bank of India (RBI) is the central bank of India and serves as the regulatory body for the Indian banking system and currency.
The Central KYC Registry (CKYCR) is a centralized database for KYC records of customers in India.
Financial institutions regulated by RBI must register their customers under the CKYC framework.
The new RBI guidance clarifies that the last institution to update a CKYC record is responsible for its accuracy and compliance.
This means that whenever a financial institution uploads or modifies a CKYC record, it becomes accountable for the correctness and completeness of that data, impacting operational processes and liability exposure.
There may be charges applicable for certain CKYC data validation, application processing, or re-upload procedures, as specified by the relevant financial institution.
Executive summary: What RBI’s ‘reliance’ guidance changes today
The Reserve Bank of India’s December 2025 amendment to its Master Direction on KYC introduces a pivotal clarification. Other regulated entities supervised by RBI, SEBI, IRDAI, and PFRDA may rely on a Central KYC Registry (CKYCR) record—but only if that record is current and fully compliant with the Prevention of Money Laundering Act (PMLA), 2002 and associated Rules. The Payment and Settlement Systems Act of 2007 gives the RBI oversight authority for payment and settlement systems in India.
The critical shift: the institution that most recently uploaded or modified the CKYC record becomes the primary “owner” of its accuracy. Institutions may authorize designated personnel or third-party service providers to upload or update CKYC records on their behalf, but the institution remains ultimately responsible for the data’s accuracy. This means every address refresh, risk rating update, or document renewal you push to CKYCR makes your organisation the accountable party for that customer’s KYC data.
For banks, NBFCs, payment banks, fintechs, and securities intermediaries, this translates to:
Reduced duplication in customer onboarding via CKYC downloads
Clearer liability allocation when audits or enforcement actions arise
Heightened scrutiny on whoever performed the last update
Who should read this article:
Chief Risk Officers (CROs) and Chief Compliance Officers (CCOs)
Chief AML Officers (CAMLOs) and Heads of Operations
Product leads at fintechs building onboarding workflows
Legal and regulatory affairs teams at financial institutions
ZIGRAM’s platforms are purpose-built for this environment, ensuring that every KYC submission is “first-time right” and defensible under the new framework.
To understand the full impact of these changes, it’s important to review the regulatory backdrop and the evolution of CKYC reliance.
Introduction to the Reserve Bank of India
The Reserve Bank of India (RBI) stands at the heart of the nation’s financial architecture, serving as the central bank responsible for regulating the currency and credit system across the country. Established in 1935, the RBI’s mandate extends far beyond simply issuing currency notes—it is tasked with maintaining monetary stability, supporting economic growth, and ensuring price stability in an increasingly complex economy. As the primary regulator for commercial banks and scheduled commercial banks, the RBI oversees a vast network of banking services that touch every corner of India. This network includes public sector banks, which play a crucial role in implementing government policies and promoting financial inclusion.
Operating from its central office in Mumbai and a network of branches nationwide, the Reserve Bank of India acts as the banker to both the government and the banking sector. The RBI serves as banker to both the central and state governments, maintaining their accounts and facilitating government transactions. It manages the flow of credit, supervises banking operations, and implements policies that safeguard the integrity of the currency and credit system.
By setting broad parameters for interest rates, lending, and investment, the RBI ensures that banks across India operate within a stable and secure financial environment. Its regulatory oversight is crucial for maintaining public confidence in the banking system and for supporting the government’s broader economic objectives.
RBI: Historical and Structural Overview
The RBI was established on 1 April 1935 under the Reserve Bank of India Act, 1934. It was nationalized on 1 January 1949 and is fully owned by the Government of India. The RBI regulates the issue of bank notes and is responsible for the control, issue, and supply of the Indian rupee. As the sole body authorized to issue banknotes in India, the RBI manages the currency supply, including through its Clean Note Policy, which ensures the quality and reliability of banknotes by replacing worn-out or obsolete notes. The central board of directors, composed of the governor, deputy governors, and other members, is responsible for the overall direction of the bank.
The RBI works closely with major financial institutions and government-related organizations, such as India Ltd, to ensure the smooth functioning of the country’s financial system.
Monetary Policy Framework: RBI’s Role in Shaping Financial Stability
The Reserve Bank of India (RBI) stands as the architect of the nation’s monetary policy framework, playing a pivotal role in maintaining monetary stability and fostering sustainable economic growth. As the central bank, the RBI is entrusted with the responsibility of regulating the currency and credit system across India, ensuring that commercial banks and other financial institutions operate within well-defined, broad parameters. This oversight is fundamental to maintaining price stability and securing the overall health of the country’s financial ecosystem.
At the heart of the RBI’s mandate is the goal to maintain price stability while supporting the broader objectives of economic development. Through its modern monetary policy framework, the Reserve Bank of India continuously monitors and adjusts key levers, such as interest rates, liquidity provisions, and credit flow to respond to evolving economic conditions. This adaptability is crucial in an increasingly complex economy, where global and domestic factors can rapidly influence the currency and credit system.
The RBI’s policies directly impact how banks and financial institutions extend credit, manage currency, and support the needs of businesses and consumers. By setting clear guidelines and maintaining a vigilant watch over the credit system, the RBI helps ensure that India’s financial institutions remain resilient, competitive, and aligned with the nation’s growth trajectory. In doing so, the Reserve Bank of India not only safeguards monetary stability but also reinforces the trust and confidence that underpin the country’s dynamic financial sector.
Regulatory backdrop: Reserve Bank of India, PMLA and the evolution of Central KYC (CKYC) reliance
The Reserve Bank has served as India’s central bank and primary banking regulator since 1935, overseeing commercial banks, banking companies, NBFCs, payment banks, and small finance banks. Within the RBI, specific departments such as the Department of Banking Supervision play a crucial role in financial regulation, fraud prevention, and oversight activities. Its modern monetary policy framework balances securing monetary stability with maintaining price stability in an increasingly complex economy.
Parallel to RBI’s banking regulation mandate, the money laundering act of 2002 (PMLA) established India’s core anti-money laundering framework. It mandates customer due diligence, risk assessment, record-keeping, and reporting of suspicious transactions to FIU-IND.
The Government of India’s 26 November 2015 notification, issued by India vide subsection 20(1) of the SARFAESI Act, 2002, authorized the Central Registry of Securitisation Asset Reconstruction and Security Interest (CERSAI) to operate the Central KYC Records Registry (CKYCR). The Central KYC Registry (CKYCR) is a centralized database for KYC records of customers in India. The CKYC Identifier is a unique 14-digit number assigned to individuals upon completing KYC formalities.
Financial institutions regulated by RBI must register their customers under the CKYC framework. This created a single repository where all reporting entities must upload, maintain, and access standardised KYC records linked by a unique 14-digit CKYC Identifier Number (KIN), which is assigned to individuals upon successful completion of KYC formalities.
Financial institutions regulated by RBI must register their customers under the CKYC framework.
What began as a basic repository has evolved into a regulatory expectation. Today, banks, mutual funds, insurers, and pension players must integrate CKYCR into their onboarding and periodic review processes.
Key regulatory stakeholders include:
Regulator | Supervised Entities |
|---|---|
RBI (including relevant departments) | Banks, NBFCs, payment banks |
SEBI | Mutual funds, securities intermediaries |
IRDAI | Insurance companies |
PFRDA | Pension funds |
FIU-IND | All reporting entities (STR reporting) |
The newest reliance-related clarifications represent a broader supervisory trend: reducing friction in KYC while tightening accountability. As Indian banks and financial institutions expand their digital banking services, the currency and credit system demands both efficiency and auditability.
Transitioning from the regulatory context, let’s decode how the RBI/CKYCR reliance model works in practice.
Decoding the RBI / CKYCR ‘reliance’ model
In practical terms, “reliance” means one reporting entity uses KYC details originally created or last updated by another regulated entity—without re-performing full KYC from scratch.
The 14-digit CKYC Identifier (KIN) makes this possible. Once generated for a customer, any regulated institution can pull the corresponding KYC record from CERSAI. If certain conditions are met, that institution can “rely” on the data for onboarding.
Core Conditions for Valid Reliance
The CKYC record must be active (not flagged as “old”)
It must meet PMLA Rules requirements: proof of identity, proof of address, risk categorisation, officially valid documents, photograph, and signatures
Beneficial ownership information must be complete
The record must be updated for any material changes
This transforms onboarding workflows. Instead of collecting every document from scratch, institutions can:
Download the CKYC record via KIN
Validate that the record is compliant and current
Conduct supplementary checks where needed (sanctions screening, enhanced due diligence for high-risk account holders)
However, reliance does not exempt the relying institution from its own risk assessment and transaction monitoring obligations under RBI’s Master Directions. Credit facilities extended to customers still require independent evaluation.
To fully grasp the operational impact, it’s essential to understand the new accountability rule for CKYC records.
The new accountability rule: last-updating institution as the “record owner”
Recent guidance eliminates prior ambiguity. The institution that performs the most recent KYC update in CKYCR is fundamentally responsible for that record’s correctness and completeness. This creates clarity for government securities dealings, lending operations, and all transactions requiring verified customer identity. The RBI’s regulatory framework also directly impacts how institutions grant loans, ensuring that credit is extended only to customers with verified and up-to-date KYC records.
What Constitutes a “Last Updating Institution”?
It’s the bank, NBFC, insurer, or intermediary that last uploaded changes such as:
Address updates
Name changes
Risk rating modifications
Beneficial ownership refreshes
Document renewals under PMLA-driven periodicity norms
The accountability scope is significant. Misclassified risk, missing beneficial ownership information, expired OVDs, or stale addresses become primarily the responsibility of the last updater, particularly if they attested to the data during periodic KYC updates.
Previously, multiple institutions stored duplicate KYC versions, diffusing liability across the credit system. Now, CKYCR holds a canonical customer KYC record with a clearly accountable last contributor.
How Relying Institutions Gain Protection
Evidencing that the CKYC record was current and not flagged as deficient
Ensuring full alignment with PMLA and RBI KYC Directions
Downloading with proper timestamps and audit trails
This creates clarity for government securities dealings, lending operations, and all transactions requiring verified customer identity.
Understanding accountability is only part of the picture; let’s see how this plays out across the entire KYC lifecycle.
Implications across the KYC lifecycle: from onboarding to exit
Understanding accountability requires viewing KYC as a lifecycle, not a one-time event.
Onboarding
Institutions must perform “first-time right” KYC capture: identity, address, occupation, beneficial ownership, photograph, and signatures. This foundational record, uploaded to CKYCR, may be reused by dozens of financial institutions throughout the customer’s financial life.
Getting it wrong at this stage propagates errors across the entire credit system.
Periodic Review
RBI’s risk-based periodicity framework intersects directly with CKYCR updates:
Risk Category | Review Frequency |
|---|---|
High-risk | Every 2 years |
Medium-risk | Every 8 years |
Low-risk | Every 10 years |
The institution conducting the periodic review becomes the new “last updater,” inheriting accountability.
Event-driven Updates
Material changes trigger immediate update obligations:
Legal name changes
Address shifts
PAN updates
Mobile number changes
Controlling shareholder modifications
The institution processing these changes must promptly push updates to CKYCR.
Enhanced Due Diligence
High-risk segments, non-resident customers, complex ownership structures, cross-border exposures, and crypto-linked businesses require data beyond CKYC’s standard fields. Institutions remain accountable for this extended information even when relying on CKYC for base identity.
Exit/Closure
Account closure doesn’t eliminate historical accountability. Accurate CKYCR updates (status flags, date of last interaction) demonstrate that banking operations met ongoing monitoring obligations through the point of exit.
With lifecycle implications in mind, let’s examine what relying institutions must still do to manage risk and liability.
Risk transfer and liability: what scheduled commercial banks and relying institutions must still do
“Reliance” is not a blanket liability shield.
RBI’s Master Direction on KYC and PMLA obligations still expect each institution to perform customer due diligence commensurate with risk. The new framework re-balances, not eliminates, liability.
Factual errors and stale data in CKYC are attributable primarily to the last-updating institution. But failures in risk assessment, monitoring, and reporting remain with each relying entity. The RBI may also implement selective credit control measures, directing banks to restrict or influence credit allocation to certain sectors or commodities as part of its risk management strategy.
Controls Relying Institutions Must Maintain
Validate record currency (check for older-version flags)
Verify risk indicators match the business relationship
Screen against sanctions and watchlists at onboarding and periodically
Apply transaction monitoring rules based on internal risk appetite
Maintain audit trails of CKYC downloads, reliance decisions, and approvals
In supervisory reviews, scheduled commercial banks and fintechs must demonstrate they conducted independent analysis. If a high-risk customer’s CKYC record is incorrectly marked low-risk by the last updater, and another institution relies on this without scrutiny, both face questions.
But the data error traces first to the updating entity.
RBI penalties for KYC lapses averaged INR 50-100 crore in 2025. The stakes for getting this wrong are material.
To operationalise compliance, institutions must focus on robust processes, controls, and technology.
Operationalising compliance: processes, controls, and technology
Key Process Elements
Centralised KYC operations teams with clear ownership
Maker-checker workflows for all CKYC uploads and updates
Documented standard operating procedures
Periodic sampling-based quality checks (e.g., 5% of uploads reviewed)
Data-quality Controls
Mandatory field validation before upload
Automated document expiry checks
Address standardisation algorithms
Beneficial owner percentage verification
Technology Integration
API-based connections to CKYCR
Automated field mapping to core banking, LOS, and LMS systems
Immutable logging of every CKYC interaction (upload, modify, download, reject)
Governance Requirements
Assign a senior functionary, Head of KYC Operations or CAMLO, as owner of CKYC data quality
Establish dashboards tracking:
Error rates and rejection statistics
Post-upload correction volumes
Regulatory feedback and inspection findings
Target rejection rates below 2%. Studies indicate CKYCR rejection rates can hit 10-20% when fields are incomplete.
With compliance processes in place, let’s look at KYC’s role in secure payment and settlement systems.
Payment and Settlement Systems: KYC’s role in secure transactions
In India’s dynamic financial landscape, the Reserve Bank of India has made Know Your Customer (KYC) compliance a cornerstone of secure payment and settlement systems. By mandating that all banks and financial institutions maintain up-to-date KYC records in the Central KYC Registry, the RBI ensures that every transaction, whether at a bank branch or through digital channels, is backed by verified customer information.
The RBI manages the country’s main payment systems and established the National Payments Corporation of India (NPCI) to promote and regulate these systems, including the clearing of cheques and electronic fund transfers. This centralized approach to storing KYC details not only streamlines onboarding for customers but also fortifies the payment ecosystem against fraud and illicit activities.
The Central KYC Registry acts as a single source of truth for customer identification, enabling banks and financial institutions to access accurate KYC records and validate customer details efficiently. This process is essential for safeguarding transactions, protecting account holders, and maintaining the integrity of India’s payment systems.
The National Electronic Funds Transfer (NEFT) system, overseen by the RBI, allows individuals and firms to transfer funds from one bank to another efficiently and securely. By enforcing strict KYC norms, the Reserve Bank of India helps prevent money laundering, ensures compliance with the Money Laundering Act, and upholds the trust of millions of customers who rely on secure, seamless banking services every day.
As payment systems evolve, institutions must also manage the complete customer lifecycle with precision.
ZIGRAM’s approach: managing the complete customer lifecycle “first-time right”
ZIGRAM is a RegTech and financial crime risk management firm providing B2B SaaS and managed services solutions for KYC, AML, and compliance across regulated institutions globally.
Our design philosophy for India-facing solutions centres on ensuring every client institution’s initial and subsequent KYC submissions to CKYCR are “first-time right” complete, PMLA-compliant, and audit-ready minimising downstream liability as the last updater.
ZIGRAM Solutions Across the KYC Lifecycle
Stage | ZIGRAM Solution |
|---|---|
Pre-onboarding | PreScreening.io (name screening, sanctions checks) |
Risk scoring | Entity Hero (entity risk assessment, beneficial ownership) |
Due diligence | DueDiliger (EDD reports) |
Ongoing monitoring | Transact Comply (transaction monitoring) |
Adverse media | Dragnet Alpha, SATOC (news surveillance) |
Our managed services teams can assume operational responsibility for KYC data capture, validation, and CKYC upload, reducing error rates and ensuring consistency with RBI’s KYC Directions.
This lifecycle view ensures that when a ZIGRAM client acts as the “last updating institution,” it can demonstrate robust processes, accurate data, and documented checks. Partner implementations report 90% error reduction in CKYC submissions.
Transitioning from solutions to operational alignment, let’s see how ZIGRAM supports CKYC reliance and RBI-aligned accountability.
How ZIGRAM supports CKYC reliance and RBI-aligned accountability
Tagging and Tracking Customer Records
Every customer record can be tagged with:
CKYC KIN
Last download and upload dates
Source entity
Data-quality score
Integrated Screening at Reliance
Even when relying on CKYC data, PreScreening.io conducts fresh watchlist and PEP screening against RBI, OFAC, EU, UN, and domestic sanctions lists. This satisfies the independent verification obligation.
Beyond CKYC with Entity Hero
Entity Hero builds detailed entity risk profiles on top of CKYC data capturing beneficial ownership, group structures, sector risk, and geography risk. This addresses gaps in the core CKYC schema that become critical for high-risk customers.
Continuous Adverse Media Monitoring
Dragnet Alpha and SATOC modules scan for negative news and emerging risk signals. A “clean” CKYC file shouldn’t be mistaken for a low-risk customer when public information suggests otherwise.
Audit-ready Infrastructure
ZIGRAM provides immutable audit logs, configurable workflows, and reporting packs. Clients can evidence exactly how they used CKYC whether uploading, updating, or relying and which internal controls applied at each stage.
With robust support for reliance and accountability, institutions must also focus on data quality and auditability.
Data quality, auditability, and defending “last updater” KYC records decisions
Under the new framework, defending past KYC decisions matters as much as making correct ones especially when your institution is identified as the last updater.
Data-quality Metrics to Track
Rejection rates from CKYCR
Percentage of records with missing mandatory fields
Volume of post-upload corrections
Regulatory inspection findings related to KYC data
Audit Trail Requirements
For any given KIN, institutions should reconstruct:
When KYC was first uploaded
Who changed which field, when, and on what basis
Supporting documents (OVDs, video KYC records, POI/POA extracts)
Approval chains and sign-offs
ZIGRAM’s Doss Engine stores, tags, and retrieves KYC documents and interactions supporting CKYC data fields. This creates the evidentiary foundation for supervisory discussions.
Strong auditability increases comfort for both RBI supervisors and internal audit committees. It demonstrates that “last updater” responsibility is managed proactively, not reactively after problems emerge.
Bank customers benefit too faster onboarding (40% improvement reported) when institutions can rely confidently on existing records.
As new risks emerge, institutions must adapt their reliance strategies accordingly.
Special focus: emerging risks, crypto entities, and ESG-linked customers
Not all customers are equal under the reliance regime.
Emerging risk segments: VDA/crypto platforms, cross-border fintechs, and ESG-sensitive sectors require more granular KYC than CKYC alone provides. Reliance becomes just the starting point.
Additional Requirements for High-risk Segments
Source of funds and source of wealth verification
On-chain analysis for crypto-related customers
ESG-related controversy screening
Enhanced beneficial ownership analysis
FIU-IND expectations for crypto entities go beyond standard CKYC fields. Similarly, the export import bank and cross-border lending operations face heightened scrutiny.
ZIGRAM’s crypto-related entity risk modules and ESG risk datasets extend CKYC-based onboarding. These provide deeper risk views aligned with regulatory expectations for non-standard counterparties.
In supervisory dialogue, institutions can demonstrate compliance beyond CKYC upload requirements—mitigating enforcement exposure even when acting as the last updater.
Practical recommendation:
Pre-define risk-based playbooks specifying:
When CKYC reliance is acceptable
When enhanced due diligence is mandatory
When to decline onboarding entirely
ZIGRAM helps encode these into system rules, ensuring consistent application across your bank branch network and digital channels.
With emerging risks addressed, let’s consider KYC’s role in cross-border accountability and foreign exchange management.
Managing Foreign Exchange and Exchange Rates: KYC and cross-border accountability
The Reserve Bank of India plays a pivotal role in managing the country’s foreign exchange reserves and regulating exchange rates to ensure ongoing monetary stability. Through a combination of policy tools, including the adjustment of interest rates and the imposition of margin requirements, the RBI works to prevent excessive volatility in the foreign exchange market and to maintain confidence in the rupee. These efforts are vital for supporting international trade, investment, and the broader credit system.
KYC norms are integral to the RBI’s approach to cross-border transactions. By requiring financial institutions to maintain robust KYC records, the Reserve Bank of India ensures that all international transactions are transparent, traceable, and compliant with both domestic regulations and global standards. This not only helps prevent money laundering and terrorist financing but also aligns India’s financial institutions with best practices worldwide. The RBI collaborates closely with other regulatory bodies, such as SEBI and IRDAI, to enforce KYC compliance across all financial institutions, reinforcing the security and integrity of cross-border payments and lending. Through these measures, the RBI upholds its commitment to monetary stability and the smooth functioning of India’s financial markets.
To put these principles into practice, institutions should follow a structured roadmap for aligning their KYC operating models.
Practical roadmap: aligning your KYC operating model with RBI’s guidance
Steps to Align Your KYC Operating Model
Assess current state
Review a sample of CKYC-uploaded records (10% minimum) to understand:
Error patterns and rejection reasons
Instances where other institutions relied on your records
Gaps in beneficial ownership or OVD currency
Update policies and SOPs
Explicitly define:
When and how CKYC reliance is permitted
What due diligence must still be performed
Who signs off on exceptions
Escalation paths for data quality issues
Strengthen data quality controls
Implement pre-upload validations covering all mandatory fields
Automate document expiry tracking
Standardise address formats
Integrate RegTech
Evaluate solutions like ZIGRAM’s suite to automate screening, monitoring, data validations, and audit logging
Manual processes don’t scale—and they create error-prone gaps
Establish governance
Assign senior ownership for CKYC data quality
Report metrics to board-level risk committees
Track progress against targets
Ready to assess your current CKYC lifecycle and design an implementation roadmap? Book a Demo with ZIGRAM to get started.
Conclusion: turning RBI’s reliance framework into a competitive advantage
RBI’s clarified reliance regime isn’t just another compliance obligation. Managed well, it reduces onboarding friction, improves customer experience, and lowers operational costs. Studies suggest uniform KYC processes can cut onboarding costs by 30-50% for fintechs.
Institutions that invest in “first-time right” KYC capture, robust data-quality controls, and lifecycle management will be best positioned—both to minimise regulatory liability as last updaters and to earn customer trust.
ZIGRAM combines SaaS platforms with managed services to deliver end-to-end KYC and AML lifecycle management, aligned with RBI, PMLA, and CKYC expectations.
As India’s regulatory landscape evolves, digital rupee pilots, cross-border payment initiatives, new sectoral guidelines, institutions with reliable, accountable KYC foundations, and smart reliance strategies will be more agile and resilient.
The framework is clear. The technology exists. The question is whether your institution will lead or follow.
